A typosquatted domain impersonating the Microsoft Activation Scripts (MAS) tool was used to distribute malicious PowerShell scripts that infect Windows systems with the 'Cosmali Loader'.

BleepingComputer has found that multiple MAS users began reporting on Reddit [1, 2] yesterday that they received pop-up warnings on their systems about a Cosmali Loader infection.

You have been infected by a malware called 'cosmali loader' because you mistyped 'get.activated.win' as 'get.activate[.]win' when activating Windows in PowerShell.

The malware's panel is insecure and everyone viewing it has access to your computer.

Reinstall Windows and don't make the same mistake next time.

For proof that your computer is infected, check Task Manager and look for weird PowerShell processes.

Based on the reports, attackers have set up a look-alike domain, "get.activate[.]win," which closely resembles the legitimate one listed in the official MAS activation instructions, "get.activated.win."

Given that the difference between the two is a single character ("d"), the attackers bet on users mistyping the domain.

Security researcher RussianPanda discovered that the notifications are related to the open source Cosmali Loader malware, and could be related to similar pop-up notifications spotted by GDATA malware analyst Karsten Hahn.

RussianPanda told BleepingComputer that Cosmali Loader delivered cryptomining utilities and the XWorm remote access trojan (RAT).

Although it is unclear who pushed the warning messages to users, it is likely that a well-intended researcher gained access to the malware control panel and used it to inform users of the compromise.

MAS is an open-source collection of PowerShell scripts that automate the activation of Microsoft Windows and Microsoft Office using HWID activation, KMS emulation, and various bypasses (Ohook, TSforge).

The project is hosted on GitHub and is openly maintained. However, Microsoft sees it as a piracy tool that activates products without a purchased license using unauthorized methods that circumvent its licensing system.

The maintainers of the project also warned users of the campaign and urged them to check the commands they type before executing them.

Users are recommended to avoid executing remote code if they don't fully understand what it does, always test in a sandbox, and avoid retyping commands to minimize the risk of fetching dangerous payloads from typosquatted domains.

Unofficial Windows activators have been repeatedly used for malware delivery, so users need to be aware of the risks and exercise caution when using such tools.